CVE-2026-42452: Termix Authentication Bypass Vulnerability

CVE-2026-42452 Overview

CVE-2026-42452 is an authentication bypass vulnerability in Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing capabilities. Versions prior to 2.1.0 issue a temporary JSON Web Token (JWT) named temp_token through the /users/login endpoint for accounts with Time-based One-Time Password (TOTP) enabled. The token carries a pendingTOTP state intended only for the second-factor verification flow. The authentication middleware incorrectly accepts this token on regular authenticated endpoints, reducing two-factor authentication (2FA) to single-factor password authentication for impacted accounts. The issue is tracked under [CWE-304] and was patched in version 2.1.0.

Critical Impact

Attackers who obtain valid credentials can bypass TOTP-based 2FA entirely and access protected Termix endpoints, gaining full session-level access to SSH terminals, tunnels, and file editing functions.

Affected Products

• Termix versions prior to 2.1.0
• Termix deployments with TOTP-enabled user accounts
• Self-hosted Termix server management instances

Discovery Timeline

• 2026-05-08 - CVE-2026-42452 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-42452

Vulnerability Analysis

The vulnerability resides in the authentication middleware that validates JWTs issued by Termix. When a user with TOTP enabled submits valid credentials to /users/login, the server returns a temp_token containing a pendingTOTP claim. This claim signals that the token is incomplete and only authorizes the user to call the TOTP verification endpoint to obtain a full session token.

The middleware fails to inspect the pendingTOTP state before granting access to protected routes. As a result, the temp_token functions as a fully privileged session token. An attacker who acquires a valid username and password through credential stuffing, phishing, or password reuse can use the returned temp_token directly on any authenticated endpoint, bypassing the TOTP challenge.

Root Cause

The root cause is incomplete validation of the JWT payload during request authorization. The middleware verifies the token signature and expiry but does not enforce the pendingTOTP state restriction. This is classified as Improper Authentication for an Authentic Factor [CWE-304], where one authentication factor is accepted in place of the complete multi-factor flow.

Attack Vector

Exploitation requires network access to a Termix instance and possession of valid account credentials. The attacker authenticates against /users/login with the victim's password. The server returns a temp_token because the account has TOTP enabled. The attacker attaches this temp_token as the Authorization bearer header on subsequent requests to protected endpoints such as SSH session creation, tunnel configuration, or file editing routes. The middleware accepts the token without requiring TOTP completion, granting full account access.

No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Termix Security Advisory GHSA-vx59-rf9w-9jv8 for upstream technical details.

Detection Methods for CVE-2026-42452

Indicators of Compromise

• Successful requests to authenticated Termix endpoints using a JWT containing a pendingTOTP: true claim.
• Absence of corresponding TOTP verification calls between /users/login and access to protected resources for TOTP-enabled accounts.
• Unexpected SSH session creation, tunnel setup, or file modification events tied to accounts that normally complete a 2FA challenge.

Detection Strategies

• Decode JWTs in Termix access logs and alert on tokens with pendingTOTP claims used on endpoints other than the TOTP verification route.
• Correlate /users/login events with subsequent TOTP verification events per session, flagging sessions that skip the verification step.
• Audit Termix application logs for authenticated activity originating from IP addresses or user agents that diverge from established baselines for 2FA-enabled accounts.

Monitoring Recommendations

• Enable verbose request logging on the Termix reverse proxy to capture Authorization headers and request paths for forensic review.
• Monitor outbound SSH connections initiated by the Termix host for anomalous destinations or timing.
• Track Termix version inventory across the environment to confirm all instances run version 2.1.0 or later.

How to Mitigate CVE-2026-42452

Immediate Actions Required

• Upgrade all Termix deployments to version 2.1.0 or later, which corrects the middleware to reject temp_token JWTs on non-TOTP endpoints.
• Rotate credentials for all accounts that may have authenticated to vulnerable Termix versions, particularly those with TOTP enabled.
• Invalidate all existing JWTs and require users to reauthenticate after the upgrade.
• Review Termix audit logs for unauthorized SSH sessions, tunnels, or file edits performed since deployment of an affected version.

Patch Information

The vulnerability is patched in Termix release 2.1.0. The fix updates the authentication middleware to reject tokens carrying the pendingTOTP state on any endpoint other than the TOTP verification route. Patch details are available in the Termix 2.1.0 Release Notes and the GitHub Security Advisory.

Workarounds

• If immediate upgrade is not feasible, disable TOTP on user accounts and rely on strong password policies combined with network-level access controls until the patch can be applied.
• Restrict access to the Termix web interface using a reverse proxy that enforces additional authentication, such as mutual TLS or an identity-aware proxy.
• Place Termix behind a VPN or zero-trust network access gateway to reduce exposure to credential-based attacks.

# Configuration example: verify Termix version and upgrade via Docker
docker pull ghcr.io/termix-ssh/termix:2.1.0
docker stop termix && docker rm termix
docker run -d --name termix \
  -p 8080:8080 \
  -v /opt/termix/data:/app/data \
  ghcr.io/termix-ssh/termix:2.1.0